Related
Recommended
talex

Hi XG Community!

We've finished SFOS v17.0.0 GA. We will publish the new release in stages. While we start with a small amount of slots and will increase those over time.

Beside that, the release is available to all SFOS version via MySophos portal without staging.

Sophos Firewall Manager (SFM) and Sophos Central Firewall Manager (CFM) are now compatible with SFOS 17.0.0 GA. A hot-fix has been released for the following SFM versions:

  • SFM 16.1 RC-1
  • SFM 16.5 GA
  • SFM 16.5 MR-1

What's New

Setup, Control Center and Navigation

  • Initial Setup Wizard
  • Synchronized App Control Widget
  • Unified Log Viewer and More Granular Logging
  • How-to Guides

Security and Control

  • Synchronized App Control
  • Web Keyword Monitoring and Enforcement
  • IPS Policy Enhancements and Smart Filters
  • App Control Policy Enhancements and Smart Filters
  • Web Filtering Enhancements
  • Streaming Media Enhancements

Management and Troubleshooting

  • Firewall Rule Management
  • Firewall Rule and Policy Test Simulator

Reporting

  • Synchronized Applications Report
  • Web Keyword Content Report
  • Security Audit Report (SAR)
  • Report Scheduling

Network and VPN

  • IKEv2 Support
  • VPN UI Enhancements
  • Wildcard Support for Domain Name Host Objects
  • NAT Rule Enhancements

Email Protection

  • Smart Host
  • Greylisting
  • Recipient Verification

Synchronized Security

  • Synchronized Security in Discover (TAP) Mode Deployments
  • Synchronized App Control

Deployment and Hardware

  • Microsoft Azure High Availability
  • New Hardware Support
  • Central Management

Notes

IPSec aggressive mode with PSK is no longer supported because of security reasons. This is due to a known weakness of the protocol. With aggressive mode, a hash of the pre-shared key is transmitted in clear-text.

Issues Resolved

  • NC-21736 [Base System] Upload of Azure firmware fails if up2date is larger than 300MB
  • NC-21045 [CR-to-CN_Migration] Support migration from CR10.6.6 to SF v17.0
  • NC-22582 [Firewall] NAT chain failed if DNAT rule configured using wildcard FQDN
  • NC-22657 [Firewall] Cyberoam to SF v17 migration fails when virtual hosts with portforwarding and firewall rule with DNAT are used
  • NC-22508 [IPS] Change button text from “Cancel” to “Don’t Upgrade Yet" in the firmware pop up
  • NC-22664 [IPsec] IPSec local id validation always failes if another connection uses external cert with remote gateway *
  • NC-22385 [Logging] Fix UI issues in new log viewer
  • NC-22523 [Logging] "Firewall Rule ID" label is sometimes displayed wrong as "Policy ID" in Logviewer
  • NC-22570 [Logging] "Copy_to Clipboard" text is added at the end of the log content copied
  • NC-22571 [Logging] Platform column details are not displayed properly under IPS logs
  • NC-22625 [Logging] Content match is not color coded if the match is a date
  • NC-22655 [Logging] Special chars need to be handled in the log viewer filter
  • NC-22656 [Logging] Results which match filter key are also highlighted
  • NC-22685 [Logging] Web filter icon showing red color even log sub type is allowed in some case
  • NC-22691 [Logging] In- and output interface show same name in logviewer standard view 'Firewall' log
  • NC-22612 [Mail Proxy] Control Center widget does not reflect email sandstorm activities
  • NC-22709 [Mail Proxy] SMTP connection issue with high latency mail servers
  • NC-22782 [Network Services] Remove *.cloudefront.net wildcard FQDN host
  • NC-21776 [Networking] MLM methods can be changed in HA via CLI from Auxiliary appliance
  • NC-22619 [Networking] Unicast route is removed from routing table after interface update
  • NC-22431 [nSXLd] Embedded URLs are categorized incorrectly
  • NC-22536 [Reporting] Manual filter is not working for application contain "\ & \\"
  • NC-22699 [Reporting] App details are missing for blocked applications
  • NC-22747 [Reporting] Report drill down stops working when using languages other than English
  • NC-22043 [Synchronized App Control] It is not possible to add new apps to application filter without customization
  • NC-22393 [Synchronized App Control] Synchronized Applications in reports doesn't display details for application
  • NC-22542 [Synchronized App Control] Use filename instead of full path in app list
  • NC-22719 [UI] Logviewer logs are not updated properly when switching between pages
  • NC-22130 [WAF] Issue with TLS settings for virtual webserver
  • NC-22610 [WAF] Logviewer does not show the affected entity name
  • NC-22654 [Web] Captive portal redirection does not work for iOS mobile devices
  • NC-22006 [Wireless] WPA2 KRACK vulnerability fixes (via pattern update)

Downloads

You can find the firmware for your appliance from in MySophos portal.

  • The recommended firmware version for Sophos XG is 16.05.8 MR8 so if your environment is complex and you can't tolerate downtime  then skip 17.0GA and keep using stable v16.

  • I've been bitten by the "frozen" bug, after a week and a half of upgrading from 16.5 MR 8 to 17.0GA, my XG just suddenly became totally unresponsive, could not ping it, could not SSH, no web console, even the buttons on the front of it didn't work.  I rolled back to 16.5 MR8 for the time being, cannot have a firewall that just totally locks up like this in production.  Odd part is that none of the 17 beta or RC's did this on a test box we have.

  • v17 MR-1 had better be a good one!

  • IPSEC Site-to-site VPN is disconnecting constantly, had to revert back to v16 MR8.

  • Based on other posts on both the general and beta forums, and from my personal experiences (not saying much, but this is more than a single isolated incident), there is most definitely a bug in the GA17 code. Multiple devices that were upgraded to XGv17, become unstable after about 2 days, to the point were the GUI and CLI will not allow me to sign into the devices. The only way to resolve is to reboot the devices. I've been using the Sophos SSL VPN for the bulk of the day today, and then became randomly disconnected. Upon investigation, the firewall is now in a locked state and won't even allow me to reconnect to my SSLVPN. After a reboot, all issues go away, and then it turns into a waiting game again. RC1 I didn't seem to have these issues. The second device was on 16.5-MR8 and upgraded to GAv17, and has the same issues, so this is not related to a particular upgrade path a device has had.

Unfiltered HTML